Rootkit-Based Adware Wreaks Havoc Among Windows 10 Users in the US

[Matrix]

When it was released back in 2015, one of the main perks of Windows 10 was the improved security features that made it harder for rootkits to get a foothold on Microsoft's new OS.

But three years later, security researchers from Romania-based antivirus vendor Bitdefender say they've discovered a new adware strain named Zacinlo that uses a rootkit component to gain persistence across OS reinstalls, a rootkit component that's even effective against Windows 10 installations.

In fact, researchers say that 90% of all Zacinlo's recent victims are Windows 10 users, showing that crooks intentionally designed their "product" to work against Microsoft's latest OS.

Zacinlo group active since 2012

But it wasn't always so. According to researchers, the group behind Zacinlo have been in business since 2012, and have been distributing their malware all this time.

The adware's distribution came in surges of activity, with big spikes in 2014, 2015, and especially in 2017 and 2018. It is believed that in these two past years, Zacinlo added its rootkit component that can work on Windows 10.

"The adware components are silently installed by a downloader that is presented as a free and anonymous VPN service (s5Mark)," Bitdefender experts wrote in a 102-page report detailing Zacinlo's modus operandi and all of its modules released today.

Finding a powerful threat like Zacinlo in the s5Mark app isn't a surprise as this app was previously categorized as a PUP (Potentially Unwanted Program) for a long time [1, 2].

This VPN app —actually more of a proxy— didn't and still doesn't do that much, to begin with, but it serves its purpose of initial point of infection and "downloader" for Zacinlo's other modules.

Of all these modules, the rootkit one is the most important, as it can ensure the adware survives on infected hosts for weeks, months, or years.

Furthermore, this same rootkit module is also utilized to stop processes deemed dangerous to the functionality of the adware while also protecting the adware from being stopped or deleted.

Zacinlo has some pretty dangerous privacy intrusive features

There is also a module for carrying out man-in-the-middle (MitM) attacks to intercept traffic, even HTTPS one. While this feature could allow it to intercept banking sessions and tamper with online payments, Zacinlo has been using this feature mainly to injects ads into any web pages it wants.

Another module that stands out is one that can detect and remove competing adware. Bitdefender says this module isn't very advanced, but is something not seen in most adware families.

Zacinlo also comes with regular adware components that harvest local system information, transmit it to a remote command and control server, and then receive commands from it. These commands allow the adware's master to uninstall or delete any local services he deems dangerous, like the ones specific to security software.

But besides the rootkit and the MitM component there is another Zacinlo module that sends shivers down your back, and that's its "screenshoting" module that can take screengrabs off the victim's screen, similar to a feature often found in RATs (remote access trojans).

"This functionality has a massive impact on privacy as these screen captures may contain sensitive information such as e-mail, instant messaging or e-banking sessions," Bitdefender says.

Zacinlo used mainly for clickjacking and ad fraud

Further, Zacinlo also comes with a self-update feature to upgrade its components with new versions, the ability to install any software it wants on the victims' systems, a "redirector" module to make users forcibly navigate to a web page, and an ad replacer to push its own ads part of affiliate schemes into users' browsing sessions.

Last but not least, Zacinlo also runs a Chromium-based headless browser in the background where it loads web pages and ads on which it silently clicks to generate profits for crooks.

Overall, this is a dangerous threat that's been silently spreading for the least six years, and most of its victims have been spotted in the US, with others also seen in France, Germany, Brazil, China, India, Indonesia, and the Philippines.

source

[steven36]

 

Quote

 

Get Your Apps for Nothing, Your Malware for Free

 

 

Adware is easy money for cyber-criminals who install malware in advertisements. Researchers have discovered a new piece of malware dubbed Zacinlo that specializes in advertising fraud. According to Bitdefender, Zacinlo uses several platforms to pull advertising from, including Google AdSense.

 

 

Adware has long been used to augment the earnings of software developers who deliver free applications to consumers. It’s been a winning strategy for app developers whose products have landed in the hands of users around the globe, but the unspoken contract of "no financial strings attached" has been governed by the third-party advertisers. Advertisers absorbing the product’s cost in exchange for customer data is what gave rise to adware.

 

 

In a white paper released today, Bitdefender wrote that “adware has witnessed constant improvements over the years in both data collection and resilience to removal. The line between adware and spyware has become increasingly fuzzy during recent years as modern adware combines aggressive opt-outs with confusing legal and marketing terms as well as extremely sophisticated persistence mechanisms aimed at taking control away from the user.”

 

 

Zacinlo, spyware that has been running since early 2012, infects a user's PC and performs one of two tasks: it either opens invisible browser instances to load advertising banners and then simulates clicks from the user, or it changes ads loaded naturally inside the browser with the attacker’s ads in order to collect advertising revenue.

 

 

An interesting feature on this adware is that it includes a rootkit driver that protects itself, as well as its other components. Extremely rare and difficult to remove, rootkit-based malware is usually found in less than 1% of threats.

 

 

"Threats like Zacinlo clearly demonstrate that crime does pay. Advertising abuse has been known to happen for years, but Zacinlo takes this to a whole new level. The complexity and longevity, as well as the multitude of samples, shows that the team that operates it manages to defraud significant amounts of money from publishers and advertisers," said Bogdan "Bob" Botezatu, senior e-threat analyst from Bitdefender.

 

 

“Since the rootkit component attempts to subvert both the operating system and the security solutions running on top of it, I would highly recommend that – from time to time – users run a full security sweep," Botezatu said.

 

Source